Windows XP in Utilities Could Mean Big Security Problems

Utility operators will face new security challenges once Microsoft Corp. ends support for the Windows XP operating system next month. The operating system used to manage systems that control utility operations could become easier to hack, leading to potential disruptions in service, experts say.

Windows XP is widely used on workstations in nearly all of the electric and gas utilities in the U.S., Michael Assante former vice president and chief security officer for the North American Electric Reliability Corp. and former chief security officer for American Electric Power Co. Inc., told CIO Journal.

After April 8, when Microsoft stops providing security updates or technical support for Windows XP, it will be easier for cyberattackers to create malicious software that could take advantage of the unpatched OS to create regional blackouts or industrial accidents, he said. Microsoft’s move should not come as a surprise to anyone, as the company began broadcasting its intentions years ago. But upgrading is not something many utilities can easily accomplish. Because of the way today’s utility management systems incorporate Windows XP, it could cost a utility more than $100 million and several years of work to upgrade an outdated system.

Microsoft says it will help customers migrate to “a more modern platform” and will continue providing updates to its “antimalware signatures and engine for Windows XP users through July 14, 2015.” But Microsoft also notes that “the effectiveness of antimalware solutions on out-of-support operating systems is limited.”

In 2013, the energy sector accounted for 59% of the cyber incidents reported to the Department of Homeland Security’s industrial control systems cyber emergency response team (ICS-CERT), according to a report released on February 14. The agency also said several incidents targeted makers of industrial control systems devices and software.

While Windows XP is used on workstations in different parts of utilities, some security experts are particularly concerned about its use on workstations in utility control centers that supervise the operational conditions in the field, such as the amount of gas pressure on a particular line. With a zero day attack, it’s possible to affect operations, said Mr. Assante, who is now the industrial control systems lead for SANS Institute, a cybersecurity research and education organization. “You could fool the operator and blind them to conditions that are occurring,” he said.

Other security researchers agree with Mr. Assante’s assessment. “The opportunity for zero day exploits is incredibly high,” said Patrick C. Miller, founder of the nonprofit Energy Sector Security Consortium and a managing partner at The Anfield Group, a security consulting firm.

Utility staff trusts levels, values and alerts these systems give them, said one security expert who formerly conducted security audits for various utilities. In one scenario, a management workstation at a gas utility could possibly be hacked to make it falsely report low pressure in a gas line. An analyst that raises the pressure to compensate could unknowingly create an explosion, he said.

To be sure, nobody is predicting major disasters to take place in the immediate term. But the longer industrial companies continue to rely on an operating system that is not receiving regular security updates, the greater the potential for danger. “We’ve always had an ongoing concern because many industrial technology users weren’t patching and keeping things up to date,” said Mr. Assante.

Part of the problem stems from the typical lifecycle of industrial control system software which utilities may keep running for 10-15 years. In the early 2000s, many utilities moved from UNIX systems to those based on Windows XP. “We’re in a situation now where Windows XP is three generations behind current technology,” said Mr. Assante.

In the past, an out of date operating system was more widely accepted because industrial plants weren’t as connected to networks as they are today. Over the last five years, there’s been a major effort to have a connected plant and share data, said Mr. Assante.

Upgrading to Windows 7 or Windows 8 is much more costly and complex in an industrial setting than it is in most business networks. Most utilities globally buy energy management systems from a handful of vendors, according to Mr. Miller. It can take years to upgrade to a newer operating system and it can cost more than $100 million to upgrade those systems, he said. Partly, that has to do with customization and interoperability testing to make sure the new software works with legacy systems. In most cases, software suppliers have clauses in contracts that would void the warranties if utilities tried to upgrade the operating system themselves, said Mr. Miller.

The result is that many utilities and software makers have been slow to upgrade. “In late 2013, one of our clients got a brand new energy management system for a large utility delivered with Windows XP,” said Mr. Miller.

Comments (5 of 56)

﻿Well it is a very wonderful blog post.Thanx for sharing this kind of information and facts here.I really hope you will definitely continue enlightening individuals in future also,with the help of this type of useful info.Carry on the good work.

﻿www.surfworld.com

4:41 pm April 7, 2014

a wrote:

@ Cinco de Mayo "Microsoft should not give up on XP. If they don.t want to deal with it anymore they should sell it. A Company like Google,Adobe,Oracle or Apple could be able to buy and maintain it."
lol they could not afford the price tag, apple had a hard enough time getting rights to directx 9 let alone everything on XP

10:20 am March 11, 2014

U_Analyst wrote:

Electric Utilities who have not rolled out smart meters are likely to be using older legacy systems they could be still using Windows XP. For those of you who don’t work in enterprise IT, please note that upgrading OS is a significant task and most IT departments and business users alike cringe at the thought of it. Security is a huge issue but so is compatibility (browser 32bit, 64bit etc…), Additionally, utilities are having a hard time getting all their software vendors & partners to provide Windows 7 & 8 compatibility.

11:33 pm March 10, 2014

. wrote:

Same as for all computer users - what so different, super, extraordinary can Win 8 do so much better than XP? If Utilities spend many millions and long hours refitting, retraining, remaintaining a new system that MS has decided to create and try to force everyone to buy, in the end - the new expensive investment will do what - the same exact functions as Win XP did for their utilities. The fear plant is for pure profits as Microsoft decides for itself. Y2K fear was as much a flop as Win 8 is. Y2K passed with ease and without hassle - there were Not Mass workers stressing to the last minute all across the World. For most utilities, simple basic repeat function is all that's necessary and can be accomplished offline totally safe - why bother spending many millions and hours and more to do the same thing? New systems can be hacked and controlled just as old systems, so that threat is ever constant even with a new Win 8 super system.

10:50 pm March 10, 2014

Chris in SC wrote:

The top ten people in all of these companies should be held jointly responsible. If they don't get it fixed they should be fired.

The factors that render the electrical grid vulnerable to cyber attack are strikingly similar to the cyber risk issues faced by health care, financial services, and other industries. But one recent malware campaign targeting utilities shows just how exposed the grid remains to cyber threats.